如何在 HTTPS 伺服器後面設定 Keycloak

tag-icon tag-icon https reverse-proxy jboss
如何在 HTTPS 伺服器後面設定 Keycloak

我已經按照這裡的程序進行了操作 https://www.keycloak.org/docs/3.4/server_installation/index.html#enable-https-ssl-with-a-reverse-proxy 但當我嘗試打開時缺少一些東西https://auth.solidsense.tk/auth/realms/master/.well-known/openid-configuration 端點沒有正確的方案(http而不是https),我無法進入管理控制台

        listen 80;
        listen [::]:80;


        server_name auth.solidsense.tk;
        root /var/www/auth.solidsense.tk/html;
        index index.html index.htm index.nginx-debian.html;


        location /{ 
              proxy_set_header Host $host; 
              proxy_set_header X-Real-IP  $remote_addr; 
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header   Cookie $http_cookie;                 
              proxy_pass http://localhost:9080;

    }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.solidsense.tk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.solidsense.tk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

root@scw-mainflux:~/keycloak-3.4.3.Final# git diff standalone/configuration/standalone.xml
diff --git a/standalone/configuration/standalone.xml b/standalone/configuration/standalone.xml
index 2cb189a..73db59c 100644
--- a/standalone/configuration/standalone.xml
+++ b/standalone/configuration/standalone.xml
@@ -465,7 +465,7 @@
         <subsystem xmlns="urn:jboss:domain:undertow:4.0">
             <buffer-cache name="default"/>
             <server name="default-server">
-                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+               <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"  enable-http2="true"/>
                 <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
@@ -564,6 +564,7 @@
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>
+        <socket-binding name="proxy-https" port="443"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

答案1

我知道這個問題已經過時了,但仍然沒有得到解答,而且從觀看次數來看,這個問題一次又一次地出現。我想很多人最終都會自己找到答案,但不會發布,所以我會發布對我有用的內容。

典型場景 Internet -> HTTPS -> ModSecNginx -> HTTP -> Keycloak

Keycloak 4.4.0 ModSecurity-nginx v1.0.0(內聯/本地/遠端載入規則:0/903/0)

在做了“所有事情”之後,我遇到了同樣的問題,keycloak代理轉發true,nginx建議..等等。

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"http://modsec.redacted.com/auth/realms/master","authorization_endpoint":"http://modsec.redacted.com/auth/realms/master/protocol/openid-connect/auth"....

配置

    server
    {
      listen 80;
      listen [::]:80;
      location /
        {

          modsecurity on;
          modsecurity_rules '
            SecRuleEngine On
            SecDebugLog /tmp/modsec_debug.log
            # Debug Levels are 3,4,5,9
            SecDebugLogLevel 3
            # The below rules are disabled, else keycloak does not work at paranoia level 5
            SecRuleRemoveById 942432 920273 942421 942420
          ';
          proxy_set_header    Host               $http_host;
          proxy_set_header    X-Real-IP          $remote_addr;
          proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
          proxy_set_header    Cookie              $http_cookie;
          proxy_set_header    X-Forwarded-Host   $host;
          proxy_set_header    X-Forwarded-Server $host;
          proxy_set_header    X-Forwarded-Port   $server_port;
          proxy_set_header    X-Forwarded-Proto  $scheme;
          proxy_pass http://keycloak:8080;
        }
    }

這就是我必須做的

改變:

          proxy_set_header    X-Forwarded-Proto  $scheme;

到:

          proxy_set_header    X-Forwarded-Proto  https;

結果

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"https://modsec.redacted.com:80/auth/realms/master","authorization_endpoint":"https://modsec.redacted.com:80/auth/realms/master/protocol/openid-connect/auth"

你看到發生了什麼事了嗎?

然後改變:

          proxy_set_header    X-Forwarded-Port   $server_port;

到:

          proxy_set_header    X-Forwarded-Proto  443;

或者,完全取出。

結果

curl https://modsec.redacted.com/auth/realms/master/.well-known/openid-configuration
{"issuer":"https://modsec.redacted.com/auth/realms/master","authorization_endpoint":"https://modsec.redacted.com/auth/realms/master/protocol/openid-connect/auth",

您的管理控制台也將開始運作。我確信 Nginx 有適當的變數($request_scheme,或 $client_scheme 可能?)。

這就對了!

相關內容